No, this isn’t a cleverly disguised double entendre, we really mean it. Keep your software off our hardware! The recent reports of Lenovo preloading Adware Superfish onto their laptops is only one of several recent indications that hardware suppliers may not have our best interests at heart.
Earlier this week it was announced that Lenovo had infected its own computers with an Adware product called Superfish. This software injects itself into search results provided by other providers like Google and Bing to provide additional revenue opportunities to Superfish advertisers. Lenovo claims “The intent was to supplement the shopping experience.” but it was really to supplement income through ad sales. But this gross invasion of our privacy was made worse by the fact that the adware interfered with SSL encryption making everything else the user did in the browser, ANY browser, insecure. Hackers could pick off bank account numbers, SSNs, or anything else sent from infected PCs directly off the wire.
But Lenovo’s sleazy back-door attempt to sell us products we don’t want was only the most recent invasion of our hardware. Security experts at Kaspersky also recently announced that the NSA has the ability to infect hard drive firmware to implant spyware directly onto our systems for surveillance purposes. This hack affects all of the major hard drive manufacturers including Western Digital, Seagate, Toshiba, Micron, and IBM. Another report coming out of the UK says that British and US intelligence agencies hacked into worlds largest SIM card manufacturer and gained access to a huge amount of the world’s cellular communications. Our privacy is under constant attack from governments, foreign and domestic, and now even by the hardware manufacturers themselves.
While I expect this issue will only get worse as PC and mobile phone manufacturers scramble to squeeze every penny they can get from their customer base, there are a few things you can do to protect yourself.
- Only purchase hardware from reputable vendors. Lenovo as the largest manufacturer of PCs in the world is certainly a reputable vendor, so this won’t necessarily stop snooping from happening. But what it will do is to improve the chance that any unethical behavior will be caught and once exposed will be rectified quickly. Right now Lenovo executives are scrambling to perform damage control and I’m sure that there are class action attorneys salivating at the upcoming opportunities to get rich from this mistake. While that may be little solace to those customers whose data is now buried in the Dark Web, Lenovo’s upcoming thrashing should at least serve as a warning to other manufacturers.
- Rebuild your OS from the ground up. In the past I always reformatted the hard drives of every new PC I bought before installing my own software. This was done not so much as a security measure but as a means to fight the bloatware that usually accompanies a new PC and to ensure that all of the OS features I needed for development were installed. Now this makes even more sense as we find that we can no longer trust the hardware manufacturers. Also remember to always download drivers from the manufacturer’s website. The myriad of driver download sites are steaming pots of virus and spyware filled software disguised as helpful archives.If rebuilding the OS from the ground up is too much work or beyond your current skillset, I would recommend you buy your PC directly from Microsoft using the “Signature Edition” moniker. These PCs come with only the standard build of Windows and drivers required to run the hardware.
- Pay attention to what’s running on your computer. If you do any significant browsing, downloading, or online content creation its only a matter of time before something gets installed onto your computer that you’d rather not have run. For example, most software now comes with “AutoUpdaters” that run every time your PC starts. Try installing Java and you’ll find that they offer to install the Ask search engine toolbar for you. You can use your Windows Task Manager to monitor the software running on your PC as shown below. Be sure to also check the Startup tab for anything configured to run at startup. As a rule of thumb, if you don’t recognize it you probably don’t need it.